FS-ISAC Report Focuses on the Security Priorities for Company CISOs

The Financial Services Information Sharing and Analysis Center (FS-ISAC) surveyed various chief information security officers (CISO) in the financial industry on some of their primary priorities when it comes to improving security for their organizations. According to the survey report, titled 2018 CISO Cybersecurity Trends,employee training was one of the top concerns for CISOs, with 35 percent of all those surveyed mentioning it as a top priority. This was followed by infrastructure upgrades and network defense at 25 percent and breach prevention not far behind at 17 percent.

The FS-ISAC classified the CISOs surveyed into two types: those who performed technical functions, such as chief information officers (CIOs), and those who performed non-technical functions, such as chief operations officers (COOs). The CISOs with technical functions tended to prioritize matters such as infrastructure upgrades, network defense, and breach prevention, while the non-technical CISOs saw the human element, that is, employee training, as a more significant issue.

The report also talked about how cybersecurity has evolved from a topic primarily dealt with by IT personnel to one that is on the minds of executives in boardroom meetings. This was reflected in the number of quarterly reports submitted by CISOs to their boards of directors, which stood at 53 percent. Furthermore, 8 percent of the CISOs surveyed went beyond the quarterly reports — some even provided monthly feedback.

The organization gave a list of recommendations for CISOs looking to build up their security posture.

Organizations should train employees on security issues, especially when it comes to downloading and executing unknown applications on company assets. Employees should also be able to report suspicious emails and attachments according to company regulations and policies.

Although the report noted that more than half of all CISOs gave quarterly security reports, the FS-ISAC encouraged even more frequent reporting to board of directors for both readiness and transparency.

CISOs should be empowered to make decisions with regards to security, ensuring the free flow of critical information within their organizations, which can increase transparency and make the decision-making process more efficient.

Security as a Priority for Organizations

The FS-ISAC report highlights an important fact: Organizations need to prioritize security more than ever. The financial industry, in particular, is very vulnerable to attacks — from sophisticated campaigns by threat actors such as Lazarus, who were responsible for some of the more notable campaigns against financial organizations, to more simple but no less effective scams like Business Email Compromise (BEC) schemes. The past few months alone have seen a number of attacks against financial organizations, including the IcedID Trojan attacks or the more recent KillDisk attacks, which hit Latin American financial companies. Due to its size and very nature, the financial sector remains, in many ways, one of the primary targets of cybercriminals.

The security issues are not just limited to within the organization; however, as customers themselves can also be affected. For example, attacks to compromise ATM machines directly impact users — and therefore, by extension, can cause harm to a company’s reputation and even subject it to fines and penalties.

As mentioned in the FS-ISAC report, employees are especially critical when it comes to the implementation of an organization’s security plan. Educating users on key issues can bolster the security posture of an organization, as they are both the first line of defense and typically the main point of entry for malicious activity.

The harsh truth is that cybercrime is going to be more prevalent going forward.It’s time for organizations to shore up their defenses to counter malicious attacks, from the top executives of the organization down to the rank-and-file.

Organizations can start by looking into the implementation of the following security best practices that can help minimize the impact of threats:

Securing all possible points of entry to the system, such as the email gateway, reduces an organization’s exposure to threats by effectively filtering all incoming and outgoing traffic.

Any proper implementation of a security plan will also involve keeping devices, software, and systems up to date to prevent bugs or vulnerabilities from being exploited. For organizations that use older or legacy software, virtual patching can provide effective coverage without the need for immediate patching.

Proactively monitoring systems and networks provides an additional layer of security. A CISO, along with a dedicated team, is tasked not just to deal with threats as they happen but to also scan the organization’s network for any possible malicious activity.

To help CISOs combat malicious threats, organizations can look into solutions such as Trend Micro™ XGen™ security, which provides a cross-generational blend of threat defense techniques against a full range of threats for data centers, cloud environments, networks, and endpoints. It features high-fidelity machine learning to secure the gateway and endpoint data and applications, and protects physical, virtual, and cloud workloads.

2018 MIDYEAR SECURITY ROUNDUP

A review of the first half of 2018 shows a threat landscape that not only has constant and familiar features but also has morphing and uncharted facets: Ever-present threats steadily grew while emerging ones used stealth. View the 2018 Midyear Security Roundup

2018 SECURITY PREDICTIONS

Today's increasingly interconnected environments pave the way for threats that will bank on systems' weaknesses for different forms of cybercrime. How can you prepare for the year ahead?View the 2018 Security Predictions